As technology has evolved, so has the adoption and use of next-generation cloud platforms. Over the years, federal government agencies have adopted a multitude of cloud platforms to facilitate more efficient workflows and to create a more secure environment for the data they house.
Most agencies have implemented more than one cloud service—interconnecting them all to increase efficiencies and secure their data even further. This forms what is called an identity nexus. This is defined as a series of connections linking two or internet-connected devices.
In the cloud environment, the identity nexus is essentially a virtual chain-linked fence of systems and data. Though this appears to be an unbreakable link due to the multitude of security features built into these systems, as technology has evolved so have cyber assailants’ ability to break through that “chain-link fence.”
The challenge that federal agencies are starting to face with Microsoft cloud platforms is that attackers can leverage these connection points in order to gain access to data, escalate privileges, and and navigate throughout the network.
So how are attackers able to take advantage of these connections? And how should agencies mitigate these attack techniques?
Four ways attackers can gain access to Microsoft directory services
1. Password Vaults
Cyber assailants typically target organization password vaults because compromising them often provides admin rights to every system on the network. This is where the identity nexus can be dangerous if agencies aren’t vigilant.
In this example, there’s a that contains a regular user account that the hacker is able to compromise. From there, they have admin rights on the enterprise password vault that contains admin credentials to Active Directory (AD) and Azure AD.
In this similar scenario, the attacker can either compromise the workstation or the web browser the account uses to authenticate access and penetrate the password vault. From there, they have admin rights to AD and Azure AD. The attacker may also identify a file share on the network with account credentials that provide admin rights to the password vault.
Some of the most essential federal agency system environments are typically managed and maintained within the password vault—making it crucial to protect.
2. Azure AD, AD, & VMware
In this scenario, the attacker compromises an account that sits in an administrator user role. This role has the ability to change a password or update group memberships within the software.
By gaining access admin user roles, the attacker is able to change the password on an account that is a current member of the VMware Admins group— through a process called password write-back. This essentially means that when a user changes their password, it is synced to the other linked on-prem accounts and replicates—changing the other account passwords in real-time.
With the Azure AD user account’s password having been changed, and the account already being a member of the VMware Admins group, the attacker then has access to VMware.
3. From Azure AD to Azure to AD
As shown in the graphic below, a global admin role has the ability to alter access management to Azure resources with one click of either“yes” or “no.” When hackers gain access to the system and add an account to the user access administrator role in Azure, will then have the ability to modify and manage those Azure accounts at the root level and beyond within the agency’s identity nexus.
After the attacker gains membership as a user access administrator in Azure, they are able to add themselves to any other account and/or Azure role they want—Including Azure AD.
In this next scenario to go from Azure AD to AD, the attacker adds themselves to the Virtual Machine Contributor role. This role essentially allows a user to manage virtual machines without logging into them.
When domain controllers for on-prem AD are hosted in Azure, an attacker with the virtual machine contributing rights can execute a command to allow them access to the domain controllers (DCs).
The attackers command execution on the DCs can result in compromising the on-prem AD forest without any access to the on-prem environment. Any changes that happen in Azure on the virtual DCs are going to replicate back to on-prem DCs and ultimately compromise Active Directory on-prem.
The global administrator role is very powerful and should be monitored by federal government agencies to make sure these cyber-attacks are obsolete.
4. Azure AD Connect
As we’ve previously discussed, an attacker can compromise an Azure AD user account to then compromise VMware.
In this example, the Azure AD Connect server is typically virtual, and compromising this virtual Azure AD Connect server results in the compromise of Azure AD.
Azure AD Connect has a service account that’s associated with the on-prem environment, but it also has a service account in Azure AD because it is connected, hence the name. Therefore, compromising Azure AD Connect on-prem results in access to Azure AD in the cloud.
How to protect agency accounts in Microsoft cloud services against cyber-attacks
1. Securing agency password vaults
For federal government agencies to ensure their password vaults are secure, it is important to limit the rights to these vaults by reviewing the AD groups that have access. It is crucial to restrict and isolate these highly privileged credentials to ensure limited access.
Lastly, it is important to double-check that the vault credentials are not stored anywhere on the network to mitigate the risk of them being accessed.
2. Securing Azure AD, AD, & VMware
When looking at an agency’s identity nexus, it’s critical to dive into how synchronized these cloud applications are and which rights each admin account and member role has within each application.
Using multi-factor authentication (MFA) for every sign-in of each hybrid cloud account is imperative to ensure that one account isn’t entirely linked to another—giving it access to change one password that duplicates itself into the identity nexus on-prem.
3. Securing Azure AD, Azure, & AD
The key for federal government agencies here is to pay close attention to the global admins for each cloud account. Using MFA as well as privileged identity management (PIM) are two successful ways to protect against cyber-attacks.
PIM allows the user to monitor the membership of sensitive Azure roles, including user access administrators. This gives agencies awareness of when someone gets into that role and has access.
Agencies should also consider separating some of the systems, such as domain controllers, into another tenant. This would make sure there is no connectivity from Azure AD into this Azure environment.
4. Securing Azure AD Connect
The key focus of this scenario is very similar to the others. Agencies should be mindful of the identity nexus within Azure AD Connect and ensure the implementation of MFA and PIM.
Having a well-configured security posture within the VMware environment and keeping track of who has access to the administration roles is vital for federal agencies to support a secure environment in Microsoft cloud directory services.
